b'                                           AAAAAAAAAAAAAAAAA\n\n\n\n\n              U.S. Department of Energy\n              Office of Inspector General\n              Office of Inspections and Special Inquiries\n\n\n\n\nInspection Report\nExcessing of Computers Used for\nUnclassified Controlled Information at\nLawrence Livermore National\nLaboratory\n\n\n\n\nDOE/IG-0759                                  March 2007\n\x0c\x0c\x0c\x0cEXCESSING OF COMPUTERS USED FOR UNCLASSIFIED\nCONTROLLED INFORMATION AT LAWRENCE LIVERMORE\nNATIONAL LABORATORY\n\nTABLE OF\nCONTENTS\n\n              OVERVIEW\n\n              Introduction and Objectives      1\n\n              Observations and Conclusions     2\n\n\n              DETAILS OF FINDINGS\n\n              Policy Implementation Delayed    3\n\n              Excessing of Computers at LLNL   5\n\n\n              RECOMMENDATIONS                  6\n\n\n              MANAGEMENT COMMENTS              6\n\n\n              INSPECTOR COMMENTS               6\n\n\n              APPENDICES\n\n              A. Scope and Methodology         7\n\n              B. Management Comments           8\n\n              C. Prior Reports                 9\n\x0cOverview\n\nINTRODUCTION     The Department of Energy\xe2\x80\x99s (DOE\xe2\x80\x99s) Lawrence Livermore\nAND OBJECTIVES   National Laboratory (LLNL) is a research and development\n                 institution that supports the core mission of national security. The\n                 University of California manages and operates LLNL for the\n                 National Nuclear Security Administration (NNSA).\n\n                 DOE spends over $2 billion each year on information technology\n                 and has a current inventory of approximately 800 information\n                 systems, including up to 115,000 personal computers, many\n                 powerful supercomputers, numerous servers, and a broad array of\n                 related peripheral equipment. The unclassified computers and\n                 electronic memory devices in these information technology systems\n                 may contain \xe2\x80\x9cunclassified controlled information.\xe2\x80\x9d This term\n                 includes unclassified controlled nuclear information, proprietary\n                 information, export controlled information, official use only\n                 information, and personally identifiable information, which can\n                 include employee social security number, place of birth, and date of\n                 birth.\n\n                 DOE has long recognized the importance of protecting unclassified\n                 controlled information stored on computers and other electronic\n                 memory devices, particularly when this equipment is no longer needed\n                 and becomes excess property. Excess property items, including\n                 unclassified computers and other electronic memory devices, may be\n                 transferred for reuse within DOE facilities or other governmental\n                 agencies, donated for educational purposes, sold, or salvaged.\n\n                 At LLNL, there are approximately 23,000 computers currently in\n                 use, and approximately 5,300 computers are excessed each year.\n                 To prevent the unauthorized dissemination of unclassified\n                 controlled information, DOE policy requires that data stored on\n                 computers and electronic memory devices must be properly\n                 removed or physically destroyed before these devices are internally\n                 transferred or released from a DOE-controlled environment. DOE\n                 approved methods for removing and/or destroying data on memory\n                 devices include: overwriting (often referred to as sanitizing and/or\n                 clearing) the data a specific number of times; electronically\n                 destroying the data on the memory devices by using a degaussing\n                 machine; and physically pulverizing, incinerating, smelting, or\n                 disintegrating the memory devices. Overwriting is the only\n                 method that does not physically or electronically damage memory\n                 devices, thus it allows a memory device to be reused.\n\n\n\nPage 1                                            Excessing of Computers Used\n                                                  for Unclassified Controlled\n                                                  Information at Lawrence\n                                                  Livermore National Laboratory\n\x0c                   The objectives of this inspection were to determine if LLNL:\n                   (1) excessed unclassified computers and other electronic memory\n                   devices in accordance with applicable policies and procedures and\n                   (2) had adequate internal controls in place to prevent the\n                   unauthorized dissemination of unclassified controlled information.\n\nOBSERVATIONS AND   We concluded that although LLNL was adhering to its own\nCONCLUSIONS        policies and procedures regarding excessing of unclassified\n                   computers and other electronic memory devices, LLNL\xe2\x80\x99s policies,\n                   procedures, and internal controls were not always consistent with\n                   applicable DOE policies. Specifically, we found that:\n\n                   \xe2\x80\xa2   NNSA delayed having LLNL implement Department policy on\n                       clearing, sanitizing, and destroying memory devices for almost\n                       2\xc2\xbd years after the policy was issued. Department directives on\n                       the topic were issued in February 2004 and June 2005 and were\n                       applicable to NNSA sites. However, instead of directing LLNL\n                       to implement the directives, NNSA waited while its Office of the\n                       Chief Information Officer (OCIO) drafted a policy letter to\n                       provide LLNL and other NNSA sites with specific requirements\n                       for clearing, sanitizing, and destroying unclassified controlled\n                       information on computers and electronic memory devices.\n                       NNSA did not issue the policy letter until August 2006. As of\n                       March 1, 2007, LLNL was working on implementing the policy.\n\n                   \xe2\x80\xa2   Due to the delay in implementing the DOE directives at LLNL,\n                       the Laboratory did not establish certain site-wide procedures\n                       and internal controls necessary to ensure the proper clearing,\n                       sanitization, and destruction of memory devices. In particular,\n                       LLNL did not ensure that during the excessing process all\n                       equipment that potentially contained embedded memory\n                       devices was examined to make certain that stored data was\n                       properly removed; that computer hard drives reused on-site\n                       were adequately overwritten; and that the overwriting of\n                       memory devices was always properly documented in\n                       accordance with Department policy.\n\n                   Reviews by the Office of Inspector General at other DOE sites\n                   have also identified weaknesses in the excessing of computers and\n                   other electronic memory devices. A list of the associated reports is\n                   found in Appendix C.\n\n\n\n\nPage 2                                              Observations and Conclusions\n\x0cDetails of Findings\n\nPOLICY                We found that NNSA delayed having LLNL implement Department\nIMPLEMENTATION        policy on clearing, sanitizing, and destroying memory devices for\nDELAYED               almost 2\xc2\xbd years after the policy was issued. Department directives\n                      on the topic were issued in February 2004 and June 2005 and were\n                      applicable to NNSA sites. However, instead of directing LLNL to\n                      implement the directives, NNSA waited while its OCIO drafted a\n                      policy letter to provide LLNL and other NNSA sites with specific\n                      requirements for clearing, sanitizing, and destroying unclassified\n                      controlled information on computers and electronic memory\n                      devices. NNSA did not issue the policy letter until August 2006.\n                      As of March 1, 2007, according to Livermore Site Office (LSO)\n                      officials, LLNL was working on implementing the policy.\n\n                      In 2000, Congress enacted the National Nuclear Security\n                      Administration Act (NNSA Act), which established NNSA as a\n                      separately organized agency within DOE, with the NNSA\n                      Administrator being responsible for overseeing the agency. As an\n                      organizational element within DOE, NNSA is subject to a DOE\n                      directive if either the Secretary or Deputy Secretary of Energy issues\n                      the directive stating that it is applicable to NNSA. Additionally, under\n                      the NNSA Act, the NNSA Administrator has the authority and\n                      responsibility to develop policies and guidance for all organizations\n                      within NNSA. NNSA has created a system of policy letters (referred\n                      to as \xe2\x80\x9cNAPs\xe2\x80\x9d) as one of the methods used to implement DOE policies,\n                      establish internal policies, and provide guidance to its elements.\n\n                      In February 2004, DOE Notice 205.12, \xe2\x80\x9cClearing, Sanitizing, and\n                      Destroying Information System Storage Media, Memory Devices,\n                      and Other Related Hardware,\xe2\x80\x9d was issued by the Deputy Secretary.\n                      The Notice identified specific requirements for removing\n                      unclassified controlled information from electronic memory\n                      devices to prevent unauthorized dissemination of the information\n                      when the devices were excessed and removed from a DOE-\n                      controlled environment. The Notice specified that it was\n                      applicable to NNSA, with a 90-day implementation period from\n                      the date of the policy\xe2\x80\x99s issuance.\n\n                      In June 2005, DOE Manual 205.1-2, \xe2\x80\x9cClearing, Sanitization, and\n                      Destruction of Information System Storage Media, Memory Devices,\n                      and Related Hardware Manual,\xe2\x80\x9d was issued to replace DOE Notice\n                      205.12. The Manual was issued by the Secretary and identified\n                      specific requirements for removing unclassified controlled\n                      information from electronic memory devices prior to the devices\n                      leaving a DOE-controlled environment. The Manual also was\n                      applicable to NNSA and had a 90-day implementation period.\n\n\n\nPage 3                                                               Details of Findings\n\x0c         LSO officials told us that, after the Notice was issued, LSO was\n         directed not to implement it locally because a NAP was being\n         developed that would address the actions required by the Notice.\n         LSO officials provided us with February 2004 and March 2004 e-\n         mails to NNSA officials requesting guidance on implementing the\n         Notice. In its e-mails, LSO indicated that it was trying to\n         determine whether the Notice should be added to LLNL\xe2\x80\x99s contract.\n         A response from an NNSA Albuquerque Service Center official\n         said that an official from NNSA\xe2\x80\x99s OCIO stated at an \xe2\x80\x9call fed\xe2\x80\x9d\n         meeting on February 25, 2004, that no NNSA site should take\n         action until the NNSA OCIO official directs it and to expect\n         further guidance from the NNSA OCIO. A March 2004 e-mail\n         from the NNSA OCIO official responding to one of the LSO\n         queries stated that \xe2\x80\x9cIt appears that we will need to issue another\n         NAP to implement 205.12.\xe2\x80\x9d LSO officials told us that they must\n         rely on directions from the NNSA OCIO in order to implement\n         cyber security related Department policy at LLNL. Therefore,\n         they said, they delayed implementing the Notice and the successor\n         Manual into the LLNL management contract pending the release\n         of the NAP by the NNSA OCIO.\n\n         LSO officials said that it was not until February 2006 that NNSA\n         finally instructed LSO to incorporate the Manual into the LLNL\n         contract. The Manual was incorporated into the LLNL contract in\n         July 2006. In August 2006, NNSA issued NAP-14.16, \xe2\x80\x9cClearing,\n         Sanitizing, and Destroying Information System Storage Media,\n         Memory Devices, and Other Related Hardware.\xe2\x80\x9d Thus, there was\n         a delay of almost 2\xc2\xbd years in NNSA directing the implementation\n         of Department policy regarding clearing, sanitizing, and destroying\n         information on memory devices. As of March 1, 2007, according\n         to LSO officials, LLNL was working on implementing the policy.\n\n         When asked about the delay, one NNSA OCIO official cited\n         various issues, including resources, and acknowledged that\n         authorization was not obtained to delay implementation of the\n         Notice and the Manual. The NNSA OCIO official referred to above\n         in the e-mails provided by LSO also cited issues such as resources\n         as leading to the delay in issuing NAP-14.16. However, he said that\n         he did not direct LSO to not implement the two directives locally\n         and that ultimately it was the responsibility of LSO to implement\n         Department policy into the LLNL management contract.\n\n         We reviewed NAP-14.16 and noted that its requirements were very\n         similar to those in the Manual. In addition, many of the LSO\n         officials we interviewed during our inspection told us that in their\n\n\n\nPage 4                                                  Details of Findings\n\x0c                    opinions it would have been much simpler to implement the\n                    Notice, and later the Manual, rather than wait for the NAP.\n\n                    We contacted NNSA officials at other NNSA sites regarding their\n                    implementation of the Manual and were provided information\n                    indicating the Manual was implemented inconsistently throughout\n                    the NNSA complex. For example, we were told that Sandia\n                    National Laboratories and Los Alamos National Laboratory did not\n                    implement the Manual within the designated 90-day period, but\n                    that the Nevada Test Site and the Kansas City Plant did.\n\nEXCESSING OF        We found that, due to the delay in implementing the DOE\nCOMPUTERS AT LLNL   directives at LLNL, the Laboratory did not establish certain site-\n                    wide procedures and internal controls necessary to ensure the\n                    proper clearing, sanitization, and destruction of memory devices.\n                    As discussed below, LLNL did not ensure that during the\n                    excessing process all equipment that potentially contained\n                    embedded memory devices was examined to make certain that\n                    stored data was properly removed; that computer hard drives\n                    reused on-site were adequately overwritten; and that the\n                    overwriting of memory devices was always properly documented\n                    in accordance with Department policy.\n\nDisposal of Other   DOE Manual 205.1-2 provides specific requirements for clearing,\nOffice Equipment    sanitizing, and destroying various types of memory devices that\n                    may be embedded in electronic equipment, such as facsimile and\n                    copier machines, prior to excessing the equipment. We determined\n                    that, prior to excessing, LLNL did not always examine facsimile\n                    and copier machines for possible embedded memory devices that\n                    could retain scanned information. We also determined that LLNL\n                    did not have specific policies and procedures comparable to those\n                    in the Manual that identify different types of memory devices and\n                    the specific methods and requirements for clearing, sanitizing, or\n                    destroying these devices.\n\nInternal Reuse of   DOE Manual 205.1-2 requires that computer hard drives\nComputers           containing unclassified controlled information be overwritten three\n                    times before being transferred to a new user within a DOE-\n                    controlled environment. This procedure ensures that unclassified\n                    controlled information, including personally identifiable\n                    information, cannot be recovered from the hard drives by\n                    individuals reusing the computers. We determined that many times\n                    computer hard drives that may have been used to process\n                    unclassified controlled information were only being overwritten one\n                    time prior to being transferred to new users within LLNL.\n\n\n\nPage 5                                                            Details of Findings\n\x0cDocumentation     DOE Manual 205.1-2 requires that, when memory devices are\nRequirements      cleared and/or sanitized (e.g., overwritten) to remove unclassified\n                  controlled information, detailed documentation must be maintained\n                  that includes: the media serial number, make, and model; the\n                  purpose for clearing or sanitizing; and the procedures used. We\n                  were told by LLNL officials that many of the LLNL directorates\n                  clear, sanitize, and/or remove hard drives from excess computers\n                  prior to their being sent to LLNL\xe2\x80\x99s excess property center and that\n                  they had not documented the required information.\n\nRECOMMENDATIONS   We recommend that the Administrator, NNSA:\n\n                  1. Review the circumstances regarding the failure to implement DOE\n                     Notice 205.12 and the delayed implementation of DOE Manual\n                     205.1-2; then take appropriate action to ensure there is not a\n                     recurrence of such a delay in implementing policy within NNSA.\n\n                  2. Ensure that the requirements of DOE Manual 205.1-2 and\n                     NAP-14.16 have been implemented throughout NNSA.\n\n                  We recommend that the Manager, Livermore Site Office, ensures that:\n\n                  3. All computers and other equipment with electronic memory\n                     devices that contain or may contain unclassified controlled\n                     information are cleared/sanitized in accordance with the\n                     requirements in DOE Manual 205.1-2 and NAP-14.16 prior to\n                     transfer to a new user within a DOE-controlled environment.\n\n                  4. LLNL implements DOE Manual 205.1-2 and NAP-14.16\n                     requirements pertaining to: (a) documentation of the clearing\n                     and/or sanitization of unclassified controlled information\n                     memory devices; and (b) the examination of electronic\n                     equipment that potentially has embedded memory devices.\n\nMANAGEMENT        In comments on a draft of this report, management did not\nCOMMENTS          specifically state whether it concurred with our recommendations;\n                  however, management indicated that certain corrective actions\n                  have been or will be initiated.\n\nINSPECTOR         We will work with management to ensure appropriate resolution of\nCOMMENTS          our recommendations. Management\xe2\x80\x99s comments are included in\n                  their entirety at Appendix B.\n\n\n\n\nPage 6                                                    Recommendations\n                                         Management and Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     The fieldwork for this inspection was conducted between April\nMETHODOLOGY   and June 2006. As part of this inspection, we interviewed NNSA,\n              LSO, and LLNL officials, as well as LLNL employees involved in\n              the excessing of computers and other equipment that utilizes\n              electronic memory devices. We also reviewed DOE, NNSA, and\n              LLNL policies, procedures, and records relating to the excessing of\n              information technology equipment. Documents used in this review\n              included:\n\n              \xe2\x80\xa2   41 Code of Federal Regulations 102, \xe2\x80\x9cFederal Management\n                  Regulations\xe2\x80\x9d;\n\n              \xe2\x80\xa2   DOE Notice 205.12, \xe2\x80\x9cClearing, Sanitizing, and Destroying\n                  Information System Storage Media, Memory Devices, and\n                  Other Related Hardware\xe2\x80\x9d;\n\n              \xe2\x80\xa2   DOE Manual 205.1-2, \xe2\x80\x9cClearing, Sanitization, and Destruction\n                  of Information System Storage Media, Memory Devices, and\n                  Related Hardware Manual\xe2\x80\x9d;\n\n              \xe2\x80\xa2   National Nuclear Security Administration Act (Public Law\n                  106-65); and\n\n              \xe2\x80\xa2   NAP-14.16, \xe2\x80\x9cClearing, Sanitizing, and Destroying Information\n                  System Storage Media, Memory Devices, and Other Related\n                  Hardware.\xe2\x80\x9d\n\n              Pursuant to the requirements of the Government Performance and\n              Results Act of 1993, we assessed the performance measures\n              applicable to the excessing of computers used for unclassified\n              controlled information at LLNL.\n\n              This inspection was conducted in accordance with the \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 7                                                Scope and Methodology\n\x0cAppendix B\n\n\n\n\nPage 8       Management Comments\n\x0cAppendix C\n\nPRIOR REPORTS   The following Office of Inspector General reports are related to the\n                excessing of computers and other electronic memory devices.\n\n                \xe2\x80\x9cInternal Controls for Excessing and Surplusing Unclassified\n                Computers at Los Alamos National Laboratory\xe2\x80\x9d (DOE/IG-0734,\n                July 2006). This report found that Los Alamos did not follow\n                DOE directives and internal policies pertaining to excessing\n                computers. As a result, an excessed computer with an intact,\n                unsanitized hard drive was sold to the public. Further, the internal\n                control failure relating to the excessing and surplusing of this\n                computer raised concerns as to whether the hard drives for seven\n                other computers excessed at the same time were sanitized and\n                removed prior to the computers being sent to auction.\n\n                \xe2\x80\x9cDestruction of Classified Hard Drives at Sandia National\n                Laboratory-New Mexico\xe2\x80\x9d (DOE/IG-0735, August 2006). This\n                report found that Sandia did not destroy classified computer hard\n                drives in accordance with DOE directives. Sandia did not always\n                maintain proper documentation, destroy hard drives on the same\n                day they were removed from the site, obtain proper approval for\n                off-site destruction of hard drives, and use appropriately cleared\n                personnel for the destruction process.\n\n                \xe2\x80\x9cExcessing of Computers Used for Unclassified Controlled\n                Information at Idaho National Laboratory\xe2\x80\x9d (DOE/IG-0757). This\n                report found that the Idaho National Laboratory (INL) did not have\n                adequate policies and internal controls for excessing computers\n                and other electronic memory devices to prevent the unauthorized\n                dissemination of unclassified controlled information. INL did not\n                always excess computers in accordance with applicable policies\n                and procedures, and new Department policies on clearing,\n                sanitizing, and destroying hard drives and other memory devices\n                were not implemented at INL for approximately 16 months.\n\n\n\n\nPage 9                                                               Prior Reports\n\x0c                                                                    IG Report No. DOE/IG-0759\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message clearer to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith at (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\n and cost effective as possible. Therefore, this report will be available electronically through the\n                                 Internet at the following address:\n\n               U.S. Department of Energy Office of Inspector General Home Page\n\n\n\n  Your comments would be appreciated and can be provided on the Customer Response Folm\n                                 attached to the report.\n\x0c'